Do Firewalls make sense?

Published: 2012-05-17
Last Updated: 2012-05-17 18:25:36 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

Once in a while, someone comes up with the idea that firewalls are really not all that necessary. Most recently, Roger Grimes of Infoworld [1][2]. I am usually of the opinion that we definitely probably need firewalls. But I think the points made by the anti-firewall faction offer some insight into not only why we really need firewalls, but also what people don't understand about firewalls.

To clarify from the start: I am talking here about good old basic network firewalls. No deep packet inspection rules and no host based firewalls.

From a security point of view, firewalls offer two main functions: They regulate traffic, and they provide logs. The second part is often neglected. But look over some of the stories here, and quite frequently, you will find cases in which firewall logs tripped the scale. For example the "duplicate DNS response" issue earlier this week was initially found by an observant reader watching firewall logs.

When it comes to filtering, some consider firewalls not worth the trouble because "they only filter on ports that are closed on the server anyway". I think this shows a lack of understanding of what a firewall can do protecting servers. My best firewall wins came usually from outbound filtering from traffic trying to leave the server.

The next argument against firewalls is that there are usually better devices to do the filtering: Proxies have real application insight, router and switch ACLs can usually pick up the low end port filtering part. As far as the proxy is concerned: I say get one too. But proxies are usually rather complex devices to configure correctly and I rather get the easy stuff out of the way first using a firewall. At the same time: How do I make sure my traffic actually uses the proxy? That typically involves a firewall.

A switch or a router may have many features that are found in a classic firewall (even state-full rules and some application logic). They may be perfectly fine for a home user or a small business. However, in particular in an enterprise context, you probably want to split the firewall functionality to a different device, and with that to a different group of people. The people dealing with routing and network performance ("packet movers") are usually not the same people that are dealing with firewalls and filtering ("packet droppers").

But how many "modern" attacks are really blocked by firewalls? Aren't they all sending a spear phishing email to the user, tricking the user to download malware some chinese kid wrote via the filtering proxy we installed?  Next they exfiltrate the data via that same proxy (or DNS, or SMTP... or other services we have to allow)? In part, these modern attack are a testimony to the effectiveness of firewalls. An attacker would probably rather still use the same tool they used back in the 90s to brute force file sharing passwords and download data straight from the system. But sadly, because now even some universities block file sharing using a firewall, these attacks no longer work.

Against these modern attacks, we have other defenses. Some may work against the older versions of these attacks as well. In short, these defenses can be summarized as "end point protection" (whitelisting, anti-virus, host based firewall, hardening of the system...). Hardening a large number of end points is however a lot more difficult then configuring a few firewalls well placed at the right choke points.

By now, you are probably going to ask yourself: Why hasn't he talked about "defense in depth" yet? The argument doesn't really apply if you are trying to argue removing a device. Each additional security device can be justified with "defense in depth". But  some security devices don not add enough value to justify the expense. I don't think "defense in depth" itself can be used to justify a *particular* security device. It rather justifies the fact that some of our security devices are redundant and fulfill similar, but not identical, roles.

To summarize: If the last time you looked at your firewall rules and logs was back in 2003 to stop SQL slammer, you probably may as well get rid of it. But a well managed and configured firewall can have significant value. It is one of the simpler security devices you probably have. Consider it the good reliable 6 shooter as compared to the fancy (but sometimes flakey) F-22. Which one are you going to take along to get money from the ATM that just appeared in the DEFCON hotel lobby ;-) .

 Thoughts? Flames? Use the comment feature or sent us a non-public comment via the contact form.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: firewall
14 comment(s)


Agreed. His article made little sense. How many times have vendors introduced "old" vulnerabilities like LAND and Smurf into new systems? Or unpatched something? His RDP reasoning was bad. Everyone he knows applied the patch. What about the bad guys who knew about it long before it was patched? What about the people who didn't apply the patch?

In his rebuttal column he said if we get rid of the browser most successful attacks go away. Sure, Roger. Let's turn off the Internet as well. Then we can keep the browsers.

He sounds like an anachronism from the old Jericho Forum. Why would you ever think you could rely on 100% of clients being fully patched and properly configured 100% of the time?
I read that article yesterday as well and was SHOCKED to see that was his position!! While I agree that the firewall doesn't protect the gooey still does provide a nice hard layer on the outside. Esp from the automated script recon/attacks.

Also there are a few things a firewall can help defend against which may not even have a built in firewall (printers, IP cameras, TVs, etc)

I wonder if he practices what he preaches and leaves his home internet connection wide open to the world? ;-)
How about blocking China's - that got rid of about 5 percent of the logs right there.
I don't think Roger's article was "wrong". I think it made good points, and I don't agree with the conclusion for the most part. But I think we need to question old assumptions from time to time and he did so in a nice and thoughtful way.

The issue with "defense in depth" as far as the scope of this post is concerned is not that firewalls do not provide "defense in depth". Instead, that argument doesn't contribute to this particular discussion.

"Firewall" is too broad of a term to use as the basis for a conversation about getting rid of something. Anything that doesn't listen on every port as soon as it's connected to a network has a firewall of sorts. People here are going to think of standalone inline firewall devices and firewall rules inside of routers. The articles seem to be ranting about annoying firewall software on client computers.

Also, he claims that our mobile devices and TVs will never have firewalls, but since most of this stuff is linux/unix based now they already do have firewalls and only lack methods for end user configuration. This would seem to be a good thing, since we still have firewalls but have learned to configure them in ways that are not angering users anymore while still providing some level of security.

Defense is depth is hugely relevant to the argument as well. If everyone owns 5 guns and puts a gun lock on one of them the rate of accidental shootings probably won't drop much at all. That doesn't mean the gun locks don't work, it means you need to do something about the other 4 guns.
Why would anybody lock their guns? ;-) I wasn't saying that FW don't work as Defense in Depth. I am saying everything, including firewalls, work as defense in depth, so it doesn't provide a differentiator for this discussion.
Before long, the regular firewall will just be part of an IPS or layer 4 filter anyway. Why would the vendors sell us 6-shooters when they can make more money by selling us F-22's?
His position is simply wrong.

Without a firewall it's a race between your patch management policy and implementation procedures and every hacker in the world on patch day. They already know what ports are reachable and what services are running. Maybe they don't have a working exploit. But a new vulnerability is announced by the vendor on patch day, and the clock starts ticking. Can you patch all of your systems on Christmas weekend faster than they can create a working exploit?

And that doesn't even touch on the notion of zero days to be used against high profile targets.

There are services running on most systems that you do not want reachable from the internet. And it should go without saying that not every sys admin secures their systems perfectly. That's where the firewall comes in.

The reason most hackers target client software and users is because firewalls prevent them from successfully exploiting systems remotely without user interaction. Taking down the firewall vastly expands the remotely available attack surface.
This debate has gone on forever. Security is a matter of components, compartments and policies.

"Do you have a firewall?" is just one component. How about IDS? How about a comprehensive Anti-virus solution at the perimeter? Do you have a policy that requires checking log files? Do you use any web filtering/Proxy solutions? How about anti-spam? Have you checked your ACL's lately? Reviewed your static routes for NAT? Is there any cruft in your network design or do you review it and make changes on a regular basis?

Inside the network is patch management, AV, Least Privileged User, Encryption, password policies, and on and on. Granted, inside the network is the most problematic place for an IT professional to defend because that is where our end users reside and interact with our networks. Do you have end user education as a part of your security strategy?

I agree that you can't count on a firewall to be a panacea for all of the ills that we face. But it is now, and will for the foreseeable future be, a major component in a comprehensive security solution for any enterprise network. One piece of the puzzle, not the whole enchilada.

We know this, though. On a daily basis we deal with every level of security from the guy behind the keyboard to the VLAN's to the routers to the gateways and the firewalls, etc.

We make sure that if someone does drop something onto our systems that even between services or daemons we have at least SSL connections set up so that all of those communications are secured end to end. Or we should.

Regardless, if we don't have at LEAST a firewall in place with some well defined rules, the rest of the security strategy makes no sense at all.
Now that we all agree that firewalls work, who knows one that can REALLY work in an IPv6 environment? Form what I can tell, none actually do very much. IPv4 features are well supported in all firewalls, but IPv6 is almost non-existent.

Diary Archives